Welcome to Splunk Answers, a Q&A forum for users to find answers to questions about deploying, managing, and using Splunk products. Contributors of all backgrounds and levels of expertise come here to find solutions to their issues, and to help other users in the Splunk community with their own questions.

This quick tutorial will help you get started with key features to help you find the answers you need. You will receive 10 karma points upon successful completion!

Refine your search:

Alert to search greater than 30 days

0

Hi there,

I'm looking to create an alert that searches for entries 30 days greater than today. So basically, if I run the alert in a search right now, and 31 days ago something was created, I want to see those results. I figured out that I need a where clause since the advanced search isn't retained when you save as>alert, but I can't figure out the correct way to write it. I'd appreciate any help. Thanks so much!

People who like this

2 Answers

In your search, you can explicitly set a time range. This is true whether the search is used as an alert or a report. While you can do this by clicking the timerange selector, you can also do it in the search itself, like this:

sourcetype=xyx index=abc earliest=-31d@d latest=-30d@d

This says "start the search at the beginning of the day exactly 31 days ago, and end the search at the beginning of the day exactly 30 days ago."

Instead of "d" for day, you can also use (h)our, (m)inute, etc. Here is the list of time modifiers and a few examples.